Automated SSL certificate renewal for Palo Alto

Palo Alto firewalls won't update a renewed certificate on their own. CertKit will.

Palo Alto firewalls bind to named certificates in PAN-OS. When a certificate renews, the binding doesn't refresh until someone imports the new PEM + key via the GUI or XML API and commits the configuration. Every 47 days. On every firewall in your fleet.

CertKit centralizes certificate issuance and renewal, then pushes updated certificates to your Palo Alto devices automatically via the CertKit Agent and PAN-OS XML API.

Start free trial Watch demo

How it works

 Your network            CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│  ┌─────────────┐  │     │                  │    │             │
│  │CertKit Agent│◄─┼─────┤  Issue & Renew   │◄──►│             │
│  └──┬────┬─────┘  │     │   Certificates   │    │             │
│     │    │ XML    │     │                ┌───┐  └─────────────┘
│     │    │ API    │     └───────────┬────│DNS│
│     ▼    ▼        │                 │    └───┘
│ ┌──────────────┐  │                 │
│ │ Palo Alto    │  │                 │
│ │ [x] Imported │  │ ◄───────────────┘
│ │ [x] Committed│  │       Verify
│ └──────────────┘  │
└───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that. Your firewalls do not run ACME, do not need port 80 open, and never store DNS credentials. The agent talks to PAN-OS over HTTPS using a scoped XML API account.

CertKit has transformed how Belden manages SSL certificate issuance, delivering a streamlined process that dramatically reduced both cost and complexity. Their solution has been a clear win for our organization.

Ryan Buckner, IT Infrastructure Analyst, Belden

Palo Alto deployment script

# Palo Alto Networks — SSL/TLS Certificate Deployment
#
# Imports a renewed PEM certificate and private key into a Palo Alto
# firewall via the PAN-OS XML API, then commits the configuration.
# Works on PA-Series and VM-Series devices.
#
# Injected variables (set by CertKit Agent):
#   $paHost            - Firewall management hostname or IP
#   $paUsername        - XML API user (Commit + Import permissions)
#   $paPassword        - Password for that user
#   $paCertificateName - Certificate name in PAN-OS
#   $certPath          - Path to the PEM cert + chain on disk
#   $keyPath           - Path to the PEM private key on disk
#
# Prerequisites:
#   - PowerShell 5.1+ with HTTPS access to the firewall
#   - XML API account with Commit and Import permissions
#   - Certificate generated as "PEM (Cert + Key)" format

$additionalHttpParams = @{ UseBasicParsing = $true }

if ($PSVersionTable.PSVersion.Major -lt 6) {
    Add-Type -TypeDefinition "using System.Net; ..."
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
}

The complete deployment script ships in your CertKit account.

The CertKit Agent runs the deployment script automatically on every renewal. It requests a fresh XML API key, uploads the renewed certificate and key, and commits the configuration. No GUI clicks, no manual scp, no waiting on the next maintenance window.

The pre-built Palo Alto template ships with your CertKit account. Configure the firewall hostname, API credentials, and certificate name once. CertKit handles every renewal after that.

What CertKit handles

Issue certificates via ACME, centrally. Your firewalls have no ACME configuration, no open ports, no public DNS credentials. One CNAME record is all your domain contributes.
Renew automatically before expiry. That one-time CNAME covers every renewal challenge going forward. No intervention required on any device.
Import the PEM and the key, then commit. The CertKit Agent talks to PAN-OS over the XML API, uploads the renewed cert and key, and queues a configuration commit.
Replace the existing named certificate. The certificate name in PAN-OS stays stable, so SSL decryption profiles, GlobalProtect portals, and Captive Portal bindings keep working without reconfiguration.
Deploy in your maintenance window. Swapping a firewall's certificate briefly drops GlobalProtect VPN sessions and bounces Captive Portal authentications. Schedule a deployment window per device so renewals roll out at 2am Sunday, not during the workday when users would notice.
Verify the deployment, not just the script. After each renewal, CertKit connects to your firewall's published service and confirms the new certificate is actually being served. It checks the serial number, SANs, and expiry. If something is wrong, you find out before your users do.
Alert on failure. Deployment failures, commit errors, verification mismatches, and upcoming expirations all generate alerts before they become incidents.
Audit every change. Every issuance, renewal, and deployment is logged with timestamp, certificate, and device. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Create a PAN-OS API user. A scoped account with Commit and Import permissions is all CertKit needs. No root, no superuser.
Install the CertKit Agent. One command on any Windows or Linux host with HTTPS reachability to the firewall. The agent runs as a background service and needs no inbound firewall rules.
Add the Palo Alto deployment script. The pre-built template is in your account. Set your firewall hostname, API credentials, and certificate name. CertKit runs it on every renewal.

See the full architecture →

Why not import certificates manually?

The standard PAN-OS renewal workflow is a GUI sequence: Device → Certificate Management → Certificates → Import → upload the PEM and key → click Commit. That works once. Run it manually on a pair of HA firewalls plus a Panorama-managed fleet every 47 days and it becomes a source of outages, missed commits, wrong certificate names, expired bindings on GlobalProtect at 3am.

Running ACME directly on a firewall isn't really an option. Public CAs require HTTP-01 or DNS-01 validation, and neither is appropriate for a hardened security appliance. Storing DNS provider credentials on a firewall is a privilege escalation waiting to happen. Opening port 80 to the public on a perimeter device is worse.

CertKit uses delegated DNS validation handled centrally, so no firewall needs port 80 open or DNS credentials on disk. It issues once and the agent handles distribution via the XML API. There is no per-device ACME configuration and no shared folder to maintain.

Palo Alto is just one part of your network edge

Most networks have more than one place where TLS certificates live: load balancers, VPN concentrators, web servers, and other firewall vendors. CertKit automates all of it from one account.

See all integrations

Start automating Palo Alto certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing